Skip to content

Fix ANSI escape filtering to handle OSC 3008 audit logs from systemd 258 #4124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Fix ANSI escape filtering to handle OSC 3008 audit logs from systemd 258 #4124

wants to merge 2 commits into from

Conversation

@rlmenge
Copy link
Contributor

@rlmenge rlmenge commented Nov 21, 2025

Fedora 43 (systemd 258) introduces OSC (Operating System Command) 3008
ANSI escape sequences for sudo audit logging when PTY is allocated.
These sequences appear in command output and break regex parsing in tools
like lspci.

OSC sequences have format: ESC ] BEL or ESC ] ESC Example: \x1b]3008;start=UUID;user=name;hostname=host;...\x1b
The previous regex pattern had a character class bug: the range -_
(0x5c-0x5f) inadvertently included ] (0x5d), causing the regex to match
ESC and ] as separate characters instead of recognizing the full OSC
sequence.

Changes:

  • Reordered alternation to match OSC pattern first, preventing premature
    matching by the single-character escape range
    detecting ESC \ terminator
  • Supports both BEL (0x07) and ST (ESC , 0x1b 0x5c) terminators

Tested with:

  • OSC 3008 sequences from Fedora 43 systemd 258
  • CSI sequences (existing functionality)
  • Single-character escapes (existing functionality)
  • Both BEL and ST terminators

This fix maintains backward compatibility with existing ANSI escape
filtering while handling modern systemd audit logging.

@rlmenge
Fix ANSI escape filtering to handle OSC 3008 audit logs from systemd 258
8e8269a 
Fedora 43 (systemd 258) introduces OSC (Operating System Command) 3008
ANSI escape sequences for sudo audit logging when PTY is allocated.
These sequences appear in command output and break regex parsing in tools
like lspci.

OSC sequences have format: ESC ] <data> BEL  or  ESC ] <data> ESC Example: \x1b]3008;start=UUID;user=name;hostname=host;...\x1b
The previous regex pattern had a character class bug: the range \-_
(0x5c-0x5f) inadvertently included ] (0x5d), causing the regex to match
ESC and ] as separate characters instead of recognizing the full OSC
sequence.

Changes:
- Reordered alternation to match OSC pattern first, preventing premature
  matching by the single-character escape range
  detecting ESC \ terminator
- Supports both BEL (0x07) and ST (ESC \, 0x1b 0x5c) terminators

Tested with:
- OSC 3008 sequences from Fedora 43 systemd 258
- CSI sequences (existing functionality)
- Single-character escapes (existing functionality)
- Both BEL and ST terminators

This fix maintains backward compatibility with existing ANSI escape
filtering while handling modern systemd audit logging.
@rlmenge
Fix formatting
8339cb4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LiliDeng LiliDeng Awaiting requested review from LiliDeng LiliDeng will be requested when the pull request is marked ready for review LiliDeng is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rlmenge